Archive
Highlighted

Where do saved search results go?

Communicator

Now that I've used the "Save results" button on my search results and can access them through the jobs screen, where is that saved result data being kept? Are they in the same index as they were when I found them? Have those results been copied to a new index? Are those results in some extra-index phantom zone?

My main reason for asking is that I want to know if they are subject to the same retention/rollover schedule as the indexes in which those results lived before I searched them out and captured them with "save results."

Any takers?

Thank you!

-Steve

Tags (2)
Highlighted

Re: Where do saved search results go?

Splunk Employee
Splunk Employee

Saved search results are coming from the index they've initially been pulled from, however, the results are pulled from on disk in the $SPLUNK_HOME/var/run/splunk/dispatch/search/ folder.

As an example, here are some of mine, again, in $SPLUNK_HOME/splunk/var/run/splunk/dispatch:

drwx------   2 stuff things  4096 May 26 10:15 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306430100_7edee2e2cfcda8eb
drwx------   2 stuff things  4096 May 26 10:30 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306431000_ff79649bab08acd2
drwx------   2 stuff things  4096 May 26 10:35 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431300_42a445258b88c357
drwx------   2 stuff things  4096 May 26 10:40 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431600_e21d10240c010dc6

The results would be held on disk until the TTL for that particular search expires, irrespective of if the retention policy has rolled the events from cold to frozen.

Once they are frozen, your search will never return those results again unless you are using a coldToFrozenDir or script and you've thawed the data.

They are subject to the same retention policy, but since they are held on disk until the job expires, you won't see the effect until that occurs.

View solution in original post

Highlighted

Re: Where do saved search results go?

Communicator

Thank you for the great answer. Would I be able to adjust the TTL of that saved search, say, through savedsearches.conf? Dispatch.ttl seems almost like what I'm looking for, but the conf description introduces some ambiguities.

0 Karma
Highlighted

Re: Where do saved search results go?

Splunk Employee
Splunk Employee

Yes, you can adjust the ttl by setting dispatch.ttl. That is exactly what it is for. You can also set it when you dispatch the saved search using the -timeout parameter on the CLI, or the timeout parameter in the REST API.

0 Karma